Meet the machines that steal your phone’s data

Keeping tabs on civilian phones? There's more than one way to skin that cat.

The National Security Agency’s spying tactics are being intensely scrutinized following the recent leaks of secret documents. However, the NSA isn't the only US government agency using controversial surveillance methods.

Monitoring citizens' cell phones without their knowledge is a booming business. From Arizona to California, Florida to Texas, state and federal authorities have been quietly investing millions of dollars acquiring clandestine mobile phone surveillance equipment in the past decade.

Earlier this year, a covert tool called the “Stingray” that can gather data from hundreds of phones over targeted areas attracted internationalattention. Rights groups alleged that its use could be unlawful. But the same company that exclusively manufacturers the Stingray—Florida-based Harris Corporation—has for years been selling government agencies an entire range of secretive mobile phone surveillance technologies from a catalogue that it conceals from the public on national security grounds.

Details about the devices are not disclosed on the Harris website, and marketing materials come with a warning that anyone distributing them outside law enforcement agencies or telecom firms could be committing a crime punishable by up to five years in jail.

These little-known cousins of the Stingray cannot only track movements—they can also perform denial-of-service attacks on phones and intercept conversations. Since 2004, Harris has earned more than $40 million from spy technology contracts with city, state, and federal authorities in the US, according to procurement records.

In an effort to inform the debate around controversial covert government tactics, Ars has compiled a list of this equipment by scrutinizing publicly available purchasing contracts published on government websites and marketing materials obtained through equipment resellers. Disclosed, in some cases for the first time, are photographs of the Harris spy tools, their cost, names, capabilities, and the agencies known to have purchased them.

What follows is the most comprehensive picture to date of the mobile phone surveillance technology that has been deployed in the US over the past decade.

“Stingray”

The Stingray has become the most widely known and contentious spy tool used by government agencies to track mobile phones, in part due to an Arizona court case that called the legality of its use into question. It’s a box-shaped portable device, sometimes described as an “IMSI catcher,” that gathers information from phones by sending out a signal that tricks them into connecting to it. The Stingray can be covertly set up virtually anywhere—in the back of a vehicle, for instance—and can be used over a targeted radius to collect hundreds of unique phone identifying codes, such as the International Mobile Subscriber Number (IMSI) and the Electronic Serial Number (ESM). The authorities can then hone in on specific phones of interest to monitor the location of the user in real time or use the spy tool to log a record of all phones in a targeted area at a particular time.

The FBI uses the Stingray to track suspects and says that it does not use the tool to intercept the content of communications. However, this capability does exist. Procurement documents indicate that the Stingray can also be used with software called “FishHawk,” (PDF) which boosts the device’s capabilities by allowing authorities to eavesdrop on conversations. Other similar Harris software includes “Porpoise,” which is sold on a USB drive and is designed to be installed on a laptop and used in conjunction with transceivers—possibly including the Stingray—for surveillance of text messages.

Similar devices are sold by other government spy technology suppliers, but US authorities appear to use Harris equipment exclusively. They've awarded the company “sole source” contracts because its spy tools provide capabilities that authorities claim other companies do not offer. The Stingray has become so popular, in fact, that “Stingray” has become a generic name used informally to describe all kinds of IMSI catcher-style devices.

First used: Trademark records show that a registration for the Stingray was first filed in August 2001. Earlier versions of the technology—sometimes described as “digital analyzers” or “cell site simulators” by the FBI—were being deployed in the mid-1990s. An upgraded version of the Stingray, named the “Stingray II,” was introduced to the spy tech market by Harris Corp. between 2007 and 2008. Photographs filed with the US Patent and Trademark Office depict the Stingray II as a more sophisticated device, with many additional USB inputs and a switch for a “GPS antenna,” which is likely used to assist in location tracking.

Cost: $68,479 for the original Stingray; $134,952 for Stingray II.

Agencies: Federal authorities have spent more than $30 million on Stingrays and related equipment and training since 2004, according to procurement records. Purchasing agencies include the FBI, DEA, Secret Service, US Immigration and Customs Enforcement, the Internal Revenue Service, the Army, and the Navy. Cops in Arizona, Maryland, Florida, North Carolina, Texas, and California have also either purchased or considered purchasing the devices, according to public records. In one case, procurement records (PDF) show cops in Miami obtained a Stingray to monitor phones at a free trade conference held in Miami in 2003.

“Gossamer”

The Gossamer is a small portable device that can be used to secretly gather data on mobile phones operating in a target area. It sends out a covert signal that tricks phones into handing over their unique codes—such as the IMSI and TMSI—which can be used to identify users and home in on specific devices of interest. What makes it different from the Stingray? Not only is the Gossamer much smaller, but it can also be used to perform a denial-of-service attack on phone users, blocking targeted people from making or receiving calls, according to marketing materials (PDF) published by a Brazilian reseller of the Harris equipment. The Gossamer has the appearance of a clunky-looking handheld transceiver. One photograph filed with the US Patent and Trademark Office shows it displaying an option for "mobile interrogation" on its small LCD screen, which sits above a telephone-style keypad.

First used: Trademark records show that a registration for the Gossamer was first filed in October 2001.

Cost: $19,696.

Agencies: Between 2005 and 2009,the FBI, Special Operations Command, and Immigration and Customs Enforcement spent more than $1.3 million purchasing Harris’ Gossamer technology and upgrading existing Gossamer units, according to procurement records. Most of the $1.3 million was spent by the FBI as part of a large contract in 2005.

Great article and I am sure will get some heavy-hitter feedback from the US Government agencies you mentioned in the article.

I completely disagree that the Government use of this equipment without a valid warrant is a "gray zone." Spying is so black and white, that I do not understand why people are having gray zone discussions about the issue. I have a reasonable expectation of privacy for my communications via cell. Tricking my cell phone into sending my signal to a Government receiver is exactly the type of unreasonable government intrusion on privacy that the 4th Amendment and the federal Communications Act sought to prevent.

The US Government is most likely secretive about these tactics because of two reasons: (1) It is blatantly unconstitutional and they are trying to ride this out as long as possible, (2) They do not want the bad guys (everyone in the USA) to know what they are doing, so they will not get shut down.

I understand the treat to privacy this tech brings with it, but rightful use of these devices that occurs to me is for example in the case of kidnappings and large scale drug trafficking in general. Modern crime has always relied heavily on phone communication for planning, coordination and execution.

I hope everyone in the arstechnica forum is tech savvy enough to know that any number of materials are available to encase your cell phone. Some products are commercially available and others you must purchase and make or fabricate your own case. You are looking for materials to absorb -40 to -100 db of RF energy.

Sure, once you switch your phone on to talk it will transmit your ID code for your cell's CPU etc....

Why help the tyrannical bastar_s? Make your call and put the phone back in it's case.

FYI... this does nothing for you if you have a GPS transmitter placed under your vehicle or under the dash, trunk or hood. For this, research devices which are known as RF probes. No magic here, they detect RF energy across the frequencies used to transmit cell and GPS data.

Put this company on your list of shady operators:http://www.g3ti.net/They do some sort of cellular SIGINT at the US/Mexico border. Also they were recently awarded a contract to set up a GSM "range" at Eglin AFB.

I understand the treat to privacy this tech brings with it, but rightful use of these devices that occurs to me is for example in the case of kidnappings and large scale drug trafficking in general. Modern crime has always relied heavily on phone communication for planning, coordination and execution.

Definitely not a "treat" to privacy. I agree, there are valid use cases. OTOH, the article ends right on: the capability is too exploitable to be kept "secret".

I wonder if a system could be designed that would only allow valid eavesdropping and disruption of service? What would it look like? If it can't be designed, what then? Do we nurture an exploitable system or do bake in unexploitability?

with all the advances in technology and the cyber world and just about very technique in the world being disclosed publically on the internet by "security experts" or hackers..... Seriously, did people really not expect that a company would not roll something into a product about monitoring those very things it could make money from

I hope everyone in the arstechnica forum is tech savvy enough to know that any number of materials are available to encase your cell phone. Some products are commercially available and others you must purchase and make or fabricate your own case. You are looking for materials to absorb -40 to -100 db of RF energy.

Sure, once you switch your phone on to talk it will transmit your ID code for your cell's CPU etc....

Why help the tyrannical bastar_s? Make your call and put the phone back in it's case.

FYI... this does nothing for you if you have a GPS transmitter placed under your vehicle or under the dash, trunk or hood. For this, research devices which are known as RF probes. No magic here, they detect RF energy across the frequencies used to transmit cell and GPS data.

Do the research before you dismiss this.

There is this thing called a battery. Remove it if you want to be sure the phone isn't finking you out. If you can't pull your battery, hey, it is your own fault for buying a phone with a captive battery.

Detecting transmitters on a vehicle is probably best done visually. ELINT/TSCM is much harder than you think. Thus is especially true if the bug is design to only transmit intermittently. A nonlinear junction detector, the best bug sniffer, is pretty useless on a car since it is full of semiconductor junctions.

I hope everyone in the arstechnica forum is tech savvy enough to know that any number of materials are available to encase your cell phone. Some products are commercially available and others you must purchase and make or fabricate your own case. You are looking for materials to absorb -40 to -100 db of RF energy.

Sure, once you switch your phone on to talk it will transmit your ID code for your cell's CPU etc....

Why help the tyrannical bastar_s? Make your call and put the phone back in it's case.

FYI... this does nothing for you if you have a GPS transmitter placed under your vehicle or under the dash, trunk or hood. For this, research devices which are known as RF probes. No magic here, they detect RF energy across the frequencies used to transmit cell and GPS data.

Do the research before you dismiss this.

Most of us carry a phone that's "on" most of the time. You know, to receive calls? An IMSI catcher will convince my phone to talk to it regardless of what fancy baggy I put around it.

Most of the objections here are not drug dealers trying to avoid detection and tracking. Most of us just object to having every last ounce of privacy stripped away with no public discourse on the topic at all.

My only issue, because it's the underlying issue as I see it, is that these aren't being properly warranted.

I'm OK with their use when required; as someone said above, looking for keywords for a kidnapping, or if the police know a drug deal is going down in a particular area.

But--largely due to the judiciary not knowing the capabilities*--I think they're getting overused and undermonitored. Part of this is that warrants should only be _specifically_ issued. "We need to use this at DEFCON becuase it's full of hackers" is not specific; "We need to use this at DEFCON because these exhibits show that some going by the handle '3vulh4ck3r' is planning on selling illegally-acquired data at or around that event" is (IMO) reasonable.

I'm starting to thing it's time to scrap the US and start over with US v2.0. Go back to the basic Constitution and update and clarify some points, e.g. put in big letters "If this document doesn't specifically allow the government to do something, it can't. Period. No exceptions.", and "Congress can reduce the power of the government by passing laws, but an Amendment is required to increase it.". Maybe create a new Department of Watching The Fuck Out Of The Government, responsible solely for prying into everything government employees do, with a bounty system to encourage them to be diligent about it.

I hope everyone in the arstechnica forum is tech savvy enough to know that any number of materials are available to encase your cell phone. Some products are commercially available and others you must purchase and make or fabricate your own case. You are looking for materials to absorb -40 to -100 db of RF energy.

Sure, once you switch your phone on to talk it will transmit your ID code for your cell's CPU etc....

Why help the tyrannical bastar_s? Make your call and put the phone back in it's case.

FYI... this does nothing for you if you have a GPS transmitter placed under your vehicle or under the dash, trunk or hood. For this, research devices which are known as RF probes. No magic here, they detect RF energy across the frequencies used to transmit cell and GPS data.

Do the research before you dismiss this.

There is this thing called a battery. Remove it if you want to be sure the phone isn't finking you out. If you can't pull your battery, hey, it is your own fault for buying a phone with a captive battery.

Detecting transmitters on a vehicle is probably best done visually. ELINT/TSCM is much harder than you think. Thus is especially true if the bug is design to only transmit intermittently. A nonlinear junction detector, the best bug sniffer, is pretty useless on a car since it is full of semiconductor junctions.

Removing the battery is nonsense. The equipment and knowledge to do this is easily available. As my last sentence says.... do the homework before you discount this information. Burst transmitters are time oriented devices. Do we have the ability to monitor electrical events versus time? Yes we can.

I wonder if there are methods (or even could be) to detect these things being used against your phone, and then DOS them or in some other way disrupt their function?

The tower spoofing should be easy to detect with an app. Similar to detecting wifi spoofs, namely inconsistent signal strength. Possibly the tower data looks funky too, but without having a Stingray handy, I can't say.

Note that these spooks can silent ping your phone via the cellular system, so they can locate you in a passive manner. The silent ping makes your phone transmit an "ack" (more or less), then they direction find that signal. I have SMS blocked at the carrier, so if they want to silent ping me, they at least have to go to the carrier and make provisions to do so. SMS has terrible security, so blocking it is no loss as far as I am concerned.

I hope everyone in the arstechnica forum is tech savvy enough to know that any number of materials are available to encase your cell phone. Some products are commercially available and others you must purchase and make or fabricate your own case. You are looking for materials to absorb -40 to -100 db of RF energy.

Sure, once you switch your phone on to talk it will transmit your ID code for your cell's CPU etc....

Why help the tyrannical bastar_s? Make your call and put the phone back in it's case.

FYI... this does nothing for you if you have a GPS transmitter placed under your vehicle or under the dash, trunk or hood. For this, research devices which are known as RF probes. No magic here, they detect RF energy across the frequencies used to transmit cell and GPS data.

Do the research before you dismiss this.

Most of us carry a phone that's "on" most of the time. You know, to receive calls? An IMSI catcher will convince my phone to talk to it regardless of what fancy baggy I put around it.

Most of the objections here are not drug dealers trying to avoid detection and tracking. Most of us just object to having every last ounce of privacy stripped away with no public discourse on the topic at all.

An appropriate case blocks the ability to send or receive calls or transmit information.

Missed calls for many folks roll over to voice mail and text into the mail box.

I object to having my inalienable right against unlawful searches always; public discourse or not. What the government is doing to the citizens is known as intercourse.

I hope everyone in the arstechnica forum is tech savvy enough to know that any number of materials are available to encase your cell phone. Some products are commercially available and others you must purchase and make or fabricate your own case. You are looking for materials to absorb -40 to -100 db of RF energy.

Sure, once you switch your phone on to talk it will transmit your ID code for your cell's CPU etc....

Why help the tyrannical bastar_s? Make your call and put the phone back in it's case.

FYI... this does nothing for you if you have a GPS transmitter placed under your vehicle or under the dash, trunk or hood. For this, research devices which are known as RF probes. No magic here, they detect RF energy across the frequencies used to transmit cell and GPS data.

Do the research before you dismiss this.

There is this thing called a battery. Remove it if you want to be sure the phone isn't finking you out. If you can't pull your battery, hey, it is your own fault for buying a phone with a captive battery.

Detecting transmitters on a vehicle is probably best done visually. ELINT/TSCM is much harder than you think. Thus is especially true if the bug is design to only transmit intermittently. A nonlinear junction detector, the best bug sniffer, is pretty useless on a car since it is full of semiconductor junctions.

Removing the battery is nonsense. The equipment and knowledge to do this is easily available. As my last sentence says.... do the homework before you discount this information. Burst transmitters are time oriented devices. Do we have the ability to monitor electrical events versus time? Yes we can.

I wonder if there are methods (or even could be) to detect these things being used against your phone, and then DOS them or in some other way disrupt their function?

The tower spoofing should be easy to detect with an app. Similar to detecting wifi spoofs, namely inconsistent signal strength. Possibly the tower data looks funky too, but without having a Stingray handy, I can't say.

Note that these spooks can silent ping your phone via the cellular system, so they can locate you in a passive manner. The silent ping makes your phone transmit an "ack" (more or less), then they direction find that signal. I have SMS blocked at the carrier, so if they want to silent ping me, they at least have to go to the carrier and make provisions to do so. SMS has terrible security, so blocking it is no loss as far as I am concerned.

Why worry about technical problems that are too difficult for all but digital engineers to solve? Keep your phone in a case that absorbs RF energy and be done with it. No signal = no ping. Got it?

I hope everyone in the arstechnica forum is tech savvy enough to know that any number of materials are available to encase your cell phone. Some products are commercially available and others you must purchase and make or fabricate your own case. You are looking for materials to absorb -40 to -100 db of RF energy.

Sure, once you switch your phone on to talk it will transmit your ID code for your cell's CPU etc....

Why help the tyrannical bastar_s? Make your call and put the phone back in it's case.

FYI... this does nothing for you if you have a GPS transmitter placed under your vehicle or under the dash, trunk or hood. For this, research devices which are known as RF probes. No magic here, they detect RF energy across the frequencies used to transmit cell and GPS data.

Do the research before you dismiss this.

There is this thing called a battery. Remove it if you want to be sure the phone isn't finking you out. If you can't pull your battery, hey, it is your own fault for buying a phone with a captive battery.

Detecting transmitters on a vehicle is probably best done visually. ELINT/TSCM is much harder than you think. Thus is especially true if the bug is design to only transmit intermittently. A nonlinear junction detector, the best bug sniffer, is pretty useless on a car since it is full of semiconductor junctions.

Removing the battery is nonsense. The equipment and knowledge to do this is easily available. As my last sentence says.... do the homework before you discount this information. Burst transmitters are time oriented devices. Do we have the ability to monitor electrical events versus time? Yes we can.

The FBI has previously stated in response to questions about the Stingray device that it "strives to protect our country and its people using every available tool—even if it's morally, ethically and Constitutionally wrong. I mean, the ends justify the means, amirite?"

The FBI has previously stated in response to questions about the Stingray device that it "strives to protect our country and its people using every available tool—even if it's morally, ethically and Constitutionally wrong. I mean, the ends justify the means, amirite?"

I imagine that was the full quote.

Our forefathers risked being hanged by the King of England to create the country many of us live in. That speaks volumes. What is the official motto of New Hampshire? "Live Free or Die"

I wonder if there are methods (or even could be) to detect these things being used against your phone, and then DOS them or in some other way disrupt their function?

The tower spoofing should be easy to detect with an app. Similar to detecting wifi spoofs, namely inconsistent signal strength. Possibly the tower data looks funky too, but without having a Stingray handy, I can't say.

Note that these spooks can silent ping your phone via the cellular system, so they can locate you in a passive manner. The silent ping makes your phone transmit an "ack" (more or less), then they direction find that signal. I have SMS blocked at the carrier, so if they want to silent ping me, they at least have to go to the carrier and make provisions to do so. SMS has terrible security, so blocking it is no loss as far as I am concerned.

Why worry about technical problems that are too difficult for all but digital engineers to solve? Keep your phone in a case that absorbs RF energy and be done with it. No signal = no ping. Got it?

Why would I want a phone that can't receive calls? Might as well use a brick, it's cheaper and performs the same functions.

I hope everyone in the arstechnica forum is tech savvy enough to know that any number of materials are available to encase your cell phone. Some products are commercially available and others you must purchase and make or fabricate your own case. You are looking for materials to absorb -40 to -100 db of RF energy.

Sure, once you switch your phone on to talk it will transmit your ID code for your cell's CPU etc....

Why help the tyrannical bastar_s? Make your call and put the phone back in it's case.

FYI... this does nothing for you if you have a GPS transmitter placed under your vehicle or under the dash, trunk or hood. For this, research devices which are known as RF probes. No magic here, they detect RF energy across the frequencies used to transmit cell and GPS data.

Do the research before you dismiss this.

There is this thing called a battery. Remove it if you want to be sure the phone isn't finking you out. If you can't pull your battery, hey, it is your own fault for buying a phone with a captive battery.

Detecting transmitters on a vehicle is probably best done visually. ELINT/TSCM is much harder than you think. Thus is especially true if the bug is design to only transmit intermittently. A nonlinear junction detector, the best bug sniffer, is pretty useless on a car since it is full of semiconductor junctions.

Removing the battery is nonsense. The equipment and knowledge to do this is easily available. As my last sentence says.... do the homework before you discount this information. Burst transmitters are time oriented devices. Do we have the ability to monitor electrical events versus time? Yes we can.

Me thinks you never hunted a bug. Yep.

Me no takes the bait.

Do the homework....

I don't need to do any homework. First of all, I use a phone where you can pull the battery. I know how to go dark.

Second I have done transmitter hunting. I have broadband detection gear. (1MHz to 10GHz). The problem is if the bug isn't continuous, you will have a hard time detecting it. Further, the GPS trackers can be set up to only sing when the vehicle is moving. Hey like it has a GPS and knows when it is in motion. Plus this conserves the battery.

I have also done Doppler RDF, but if you ever did this, you would know that is hard to do on a cellular signal. They are too white. You need to do multiple receivers and cross-correlation of the signals.

As I stated in my reply to your first silly post, the only way to detect a bug that is not transmitting is with a nonlinear junction detector (NLJ). That will never work on a vehicle. You need to physically inspect vehicles for such devices.

If you watch the movie "The Conversation", Gene Hackman is using one near the end of the movie but finally goes gonzo and does a physical search.

The gross breaches of personal rights aside, they use some seriously ugly hardware. You'd think if this stuff is going to ever be taken out in public you'd want it to blend in just slightly. Instead your average FBI/NSA/TLA branch is going to stand out like a sore thumb.

A. i am a Harris equip nerd, always wanted one of their falcon radios. they are like 40K and of course classified. so no chance of that, and then -- lo and behold -- i saw one in the recent tom cruise pretty-alright-futurama, oblivion. cool.

B. this market is such a f-ing scam. on the u.s gov, on the u.s. taxpayers. these boxes are minor techno-wonders sure, but they ain't worth no $100K. obv. paying for the know how, but .. jeepers. way to fleece us. reminds me of that 5000 dollar hammer or toilet seat or whatever that was on a gov purchase order years ago. gsa has got to be the best scam going in this country.

C. i don't think this type of surveillance is by definition illegal, just as wiretapping is not illegal -- IF you have a warrant backed up by pc. i assume the same prerequisites are in effect here, it is a 'wiretap', just not a guy in a flannel shirt hanging from a utility pole anymore.. now it's a nerd in dockers guzzling redbull in the back of a suburban. and i guess that's the root of it. now that everything is digital hiding the communications tapping you're up to is much easier, cause there is no guy on a pole, there's just usually a guy at a computer somewhere, anywhere... cellular triangulation is one of the few taps that still requires field deployment....

A. i am a Harris equip nerd, always wanted one of their falcon radios. they are like 40K and of course classified. so no chance of that, and then -- lo and behold -- i saw one in the recent tom cruise pretty-alright-futurama, oblivion. cool.

B. this market is such a f-ing scam. on the u.s gov, on the u.s. taxpayers. these boxes are minor techno-wonders sure, but they ain't worth no $100K. obv. paying for the know how, but .. jeepers. way to fleece us. reminds me of that 5000 dollar hammer or toilet seat or whatever that was on a gov purchase order years ago. gsa has got to be the best scam going in this country.

C. i don't think this type of surveillance is by definition illegal, just as wiretapping is not illegal -- IF you have a warrant backed up by pc. i assume the same prerequisites are in effect here, it is a 'wiretap', just not a guy in a flannel shirt hanging from a utility pole anymore.. now it's a nerd in dockers guzzling redbull in the back of a suburban. and i guess that's the root of it. now that everything is digital hiding the communications tapping you're up to is much easier, cause there is no guy on a pole, there's just usually a guy at a computer somewhere, anywhere... cellular triangulation is one of the few taps that still requires field deployment....

What with IPs, MAC addresses for multiple chips and the like, what do you think? You have stated a few facts. Are you OK with this? All governments waste big bucks. Most governments violate "our standard(s)" of civil liberties; that is what makes us better in my not so humble opinion.

What do you suggest as the remedy? Donald Rumsfeld told staff to not bring complaints to his door without a better suggestion.